In the first known case of a U.S. regional agency purchasing malware, a Florida Department of Law Enforcement officer bought FlexiSpy.

A state law enforcement officer, apparently without the knowledge of his own agency, purchased malware that can intercept social media messages, emails, and much more, according to data obtained by Motherboard.

Although it’s unclear why the investigator bought the malware, which requires physical access to a smartphone to install, this is the first known case of a US state law enforcement officer purchasing such a tool. In a similar way to how surveillance technology such as Stingrays has trickled down to local agencies, the news highlights how spying software is not limited to federal agencies such as the FBIor DEA, but has spread, in some form, to more regional forces.

The purchase was “probably a program I used on a case or tried it to understand how it worked. Nothing nefarious. Need a court order to use on someone without consent.” Jim Born, the former DEA official and Special Agent at the Florida Department of Law Enforcement (FDLE) who purchased the malware, told Motherboard in a Facebook message. Born is now retired.

The malware in question is FlexiSpy, a piece of software available on the open market to the everyday consumer. Previously, FlexiSpy explicitly marketed the product to jealous lovers to spy on their spouses.

“Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won’t,” one piece of marketing material reads (After Motherboard obtained a large cache of hacked FlexiSpy data and reported extensively on the company last year, FlexiSpy tweaked its marketing to focus on monitoring children and employees.)

FlexiSpy has continually added features to its malware over the years, including the ability to siphon WhatsApp messages, remotely turn on the phone’s camera and microphone, rip files stored on the device, and hide itself from the target.

Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Born’s FDLE email was included in the FlexiSpy customer records obtained by Motherboard. Notably, it appears Born did not buy the malware through official procurement channels, though.

“I checked with our purchasing office and we have no record of FDLE purchasing this,” an agency spokesperson told Motherboard in an email.

Riana Pfefferkorn, the cryptography fellow at the Stanford Center for Internet and Society, told Motherboard in an email, “Officers should not be buying malware on their own dime for use at work—and using their official email address in the process. Purchases of forensics software (already common in US police departments) should go through normal procurement processes, should have documentation (subject to public records laws), and should be subject to oversight.”

“If the malware was ‘used on a case,’ how exactly did he use it, and why did he apparently not document that? Did he get the appropriate court order? Given the functionality of FlexiSpy, it would seem to require a wiretap order, not just a search and seizure warrant,” she added.

Some may write-off FlexiSpy’s significance because of its physical access requirement, as it limits how this malware could be deployed by a law enforcement official: The software cannot be delivered remotely via a web browser or messenger exploit, for example. But that would overlook some of the other cases where malware like this could be used by regional investigators.

“The police may have many mobile devices in custody, taken from crime scenes, suspects, victims, etc. Or an officer may take a device away only temporarily before returning it to the owner,” Pfefferkorn said. “There are ample opportunities for physical access to install this malware.” In Motherboard’s own tests with other pieces of consumer spyware, installing the malware could likely be done in less than a minute.

Indeed, even though the DEA spent hundreds of thousands of dollars on Hacking Team’s RCS, a piece of malware specifically marketed to law enforcement and which allows remote infection, in the vast majority of cases the agency used it on phones they had physical access to, according to a letter the DEA sent to US Senator Chuck Grassley in 2015.